Ronald Volgers discovered that the lppasswd component of the cups suite,the Common UNIX Printing System, is vulnerable to format string attacksdue to insecure use of the LOCALEDIR environment variable. An attackercan abuse this behaviour to execute arbitrary code via crafted localizationfiles and triggering calls to _cupsLangprintf(). This works as the lppasswdbinary happens to be installed with setuid 0 permissions.

For the stable distribution (lenny), this problem has been fixed inversion 1.3.8-1+lenny8.

For the testing distribution (squeeze) this problem will be fixed soon.

For the unstable distribution (sid) this problem has been fixed inversion 1.4.2-9.1.

We recommend that you upgrade your cups packages.

Upgrade instructions- --------------------

wget url will fetch the file for youdpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line forsources.list as given below: